CHDK Forum

CHDK Development => General Discussion and Assistance => Firmware Dumping => Topic started by: rlyon on 27 / May / 2008, 23:13:53

Title: Problems dumping the SD1100IS/IXUS80IS
Post by: rlyon on 27 / May / 2008, 23:13:53

There is a problem in attempting to get a firmware dump from this new model. It appears that it is not possible to get diskboot.bin to run from a bootable, locked, FAT, 1 GB, SD card on camera power up (in review mode). The camera simply powers up as normal without delay and displays a message indicating the detection of a locked card.

ver.req may be used to get firmware version. The presence of a file called ps.fi2 causes the display of the firmware update menu item.

Maybe a a different first sector format is required in this camera to indicate a bootable card? Or maybe a different binary filename? Does anyone have any ideas or information?

An alterative approach is to create a custom ps.fi2 file which will be used to dump the firmware using LED blinking or writing to the SD card. What are the format/layout requirements for a valid ps.fi2 file? I have heard rumours that it contains encrypted data. Does anyone actually have a valid ps.fi2 file supplied by Cannon?

Canon has released quite a few new models in the last few months and I suspect they are all going to present the same difficulties in obtaining a firmware dump. This includes the following models:

SD890IS, SD790IS, SD770IS, SD1100IS, A590 IS, A580 and maybe the A470.

Has anyone had luck getting diskboot.bin or a blinker to run on these models?

Regards ...

Title: A470?
Post by: stunted on 29 / May / 2008, 05:39:46

I'm very interested in the A470, I've been hanging around on the forum to see if it's going to be supported,

I have an old S50 (not compatible I don't think) and shoot exclusively in RAW mode (particularly useful when diving) and have been searching for months for a replacement when I found CHDK.

Very excited, if I can get this to work I'm looking for cameras for 3 ~ 5 people.

If I were to buy one how likely is it that as a novice I could help things progress?

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: rlyon on 29 / May / 2008, 06:22:52

I'm speculating about how the A470 works. uDumper may work correctly or it may have the same problems as with the SD1100IS/IXUS80 IS. I'm interested in the SD1100IS/IXUS80IS and perhaps/maybe trying to work on some porting for that model.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: stunted on 30 / May / 2008, 22:42:21

There was a user NoobSchoolBus on the forums who had one,
http://chdk.setepontos.com/index.php/topic,1199.msg11029.html#msg11029 (http://chdk.setepontos.com/index.php/topic,1199.msg11029.html#msg11029)

I've PM'd him to find out if he ever dumped the firmware.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: NoobSchoolBus on 31 / May / 2008, 00:49:37

Quote from: stunted on 30 / May / 2008, 22:42:21

There was a user NoobSchoolBus on the forums who had one,
http://chdk.setepontos.com/index.php/topic,1199.msg11029.html#msg11029 (http://chdk.setepontos.com/index.php/topic,1199.msg11029.html#msg11029)

I've PM'd him to find out if he ever dumped the firmware.

Sorry guys, I took the a470 back to the shop and brought an sx100 IS which seems to be pretty much the only reasonably priced camera on the market at the moment that supports remote capture.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: pricead on 03 / June / 2008, 01:49:54

any update on getting the SD1100 dumped?

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: stunted on 04 / June / 2008, 00:31:22

Quote from: NoobSchoolBus on 31 / May / 2008, 00:49:37

Sorry guys, I took the a470 back to the shop and brought an sx100 IS which seems to be pretty much the only reasonably priced camera on the market at the moment that supports remote capture.

OK, thanks for the update, Do we think the A470 will support remote capture if/when we can get chdk on it?

I'm going to see how much they are here in Singapore,  If it's not too much I'll get one to see if I can get the dump,  Problem is I've got so much on at the mo, I'm not sure when I'll have time.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 06 / June / 2008, 10:52:09

Quote from: rlyon on 27 / May / 2008, 23:13:53

There is a problem in attempting to get a firmware dump from this new model. It appears that it is not possible to get diskboot.bin to run from a bootable, locked, FAT, 1 GB, SD card on camera power up (in review mode). The camera simply powers up as normal without delay and displays a message indicating the detection of a locked card. ...

I found something!

I got a ixus 82 is, which is a 80 with a blue case. I tried to dump firmware with udumper w/o success. But I found some reactions of the cam:

Code: [Select]

zero   empty.dum
touch diskboot.bin
lock sd
power on "nothing happens" => brick, no more power on even w/o sd-card. Had to remove batt to resurrect cam

Ok, same with dryos diskboot.bin, camera simply operate as normal.

I looked through 960is.dump to get some insperation. The string "A/uartr.req" made me curious because there seems to be a shell inside the dump. Mh, how might that work? Another usb-endpoint? No. The presence of that file did nothing special on usb, but .... try this:

Code: [Select]

On SD:
dryos diskboot.bin
empty empty.dum
lock sd, card into cam
connect usbcable to computer (!)
power on

10: splash screen "card is locked" for 1 second,
camera switches off (!)

not bricked, power on again: goto 10

On my linux host pc, on usb bus nothing happened.

So, with usbcable something happens. However, the udumper doesn't seems to work. emtpy.bin still zero.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: jeff666 on 06 / June / 2008, 13:12:32

Quote from: chr on 06 / June / 2008, 10:52:09

I found something!

Seems like diskboot.bin is still read and even executed. The cam just won't execute our existing binaries.

I've observed something on my A720 when I was making udumper-tests. If the diskboot-file was to small, the cam wouldn't load it, still my cam hangs with an empty diskboot-file (just tested). I found out that the minimum size to get diskboot.bin started was about 20k. The actual code was only a few hundred bytes long and file size was increased by appending zeros.

Here's a small test program that should immediately turn on all LEDs on your cam (if the program runs). The program itself is only about 25bytes long, 100k are padded (see Make.bat). Feel free to play around with file sizes and see what is necessary to get the program running. If you want to recompile, it was built with the win32-toolchain (http://chdk.wikia.com/wiki/Compiling_CHDK_under_Windows).

Cheers.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 06 / June / 2008, 14:03:31

Hi Jeff!

I'll give that a try.

edit:

No success. I tried up to 512k.

Mh, the cam also switches off, when I plug in the usb cable after power on.

ps: I'm linux user .... mh, arm assembler looks cute ... :)

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: jeff666 on 06 / June / 2008, 14:17:07

Quote from: chr on 06 / June / 2008, 14:03:31

ps: I'm linux user ....

Me too (well, both linux and win32, actually). I used the win32-toolchain because it's faster to "install" for the first tests. Now I have the linux-toolchain and use that.

Quote

mh, arm assembler looks cute ... :)

Yes, very nice ASM dialect. After reading ARM ASM for a while, I load a x86-binary into IDA and find it ugly and chaotic. One day I will throw my PC hardware into the garbage and get ARM-devices :)

Cheers.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: rlyon on 07 / June / 2008, 00:28:00

Quote from: chr on 06 / June / 2008, 10:52:09

I looked through 960is.dump to get some insperation. The string "A/uartr.req" made me curious because there seems to be a shell inside the dump. Mh, how might that work? Another usb-endpoint? No. The presence of that file did nothing special on usb, but .... try this:

Where did you get a dump of IXUS960IS? No one has reported dumping this camera.

diskboot.bin does not work with the IXUS960IS.

The IXUS960IS firmware will be close to the IXUS80IS.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 07 / June / 2008, 09:05:52

Quote from: rlyon on 07 / June / 2008, 00:28:00

Where did you get a dump of IXUS960IS? No one has reported dumping this camera.
diskboot.bin does not work with the IXUS960IS.
The IXUS960IS firmware will be close to the IXUS80IS.

here: IXUS960IS - CHDK Wiki (http://chdk.wikia.com/wiki/IXUS960IS)
I'm still wondering how he did it.

@jeff:
2 questions
1. I got now gcc-arm ready. I can compile udumper and ledblink but make in chdk.trunk gives me:

Code: [Select]

[chris@hirnlego ~/ixus/chdk.trunk]$ LC_ALL=c make
>> Entering to tools
pakwif.c -> pakwif.o
as: unrecognized option `-Qy'
make[1]: *** [pakwif.o] Error 1
make: *** [all-recursive] Error 1

2. how to disassemble a firmware dump? which (linux/gnu) tool to use?

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: jeff666 on 07 / June / 2008, 09:51:27

Quote from: chr on 07 / June / 2008, 09:05:52

>> Entering to tools
pakwif.c -> pakwif.o
as: unrecognized option `-Qy'
make[1]: *** [pakwif.o] Error 1

Your local c-compiler is damaged. The programs in tools/ are built using your local c-compiler (usually gcc) since they're supposed to run on your host.

Quote

2. how to disassemble a firmware dump? which (linux/gnu) tool to use?

Our reference disassembler is IDA pro. See here (http://chdk.wikia.com/wiki/Loading_dump_to_IDA) and here (http://chdk.wikia.com/wiki/DryOS_Porting).

Quote from: chr on 06 / June / 2008, 14:03:31

No success. I tried up to 512k.

Did you rebuild the source I posted or just added padding?
If you compiled the source yourself, post the binary so I can make sure your compiler worked (=run it on my cam).
Did you only try larger file sizes or smaller ones as well?

Cheers.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 07 / June / 2008, 11:57:13

Quote from: jeff666 on 07 / June / 2008, 09:51:27

Quote from: chr on 07 / June / 2008, 09:05:52

>> Entering to tools
pakwif.c -> pakwif.o
as: unrecognized option `-Qy'
make[1]: *** [pakwif.o] Error 1

Your local c-compiler is damaged. The programs in tools/ are built using your local c-compiler (usually gcc) since they're supposed to run on your host.

Ah, it used the arm gcc ... hehe, ok it compiles now.

Quote

Quote from: chr on 06 / June / 2008, 14:03:31

No success. I tried up to 512k.

Did you rebuild the source I posted or just added padding?

Both. Also padded udumper up to 512k

Quote

If you compiled the source yourself, post the binary so I can make sure your compiler worked (=run it on my cam).

ok, attached

Quote

Did you only try larger file sizes or smaller ones as well?

Smaller not yet. Damn SD cards: my poor fingernails ... I saw the upload stuff libptp2, want to use that! But actually any diskboot.bin on SD + USB cable the cam switches off. I guess can't upload anything.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: jeff666 on 07 / June / 2008, 12:40:41

Quote from: chr on 07 / June / 2008, 11:57:13

Quote from: jeff666 on 07 / June / 2008, 09:51:27

Did you rebuild the source I posted or just added padding?

Both. Also padded udumper up to 512k

Don't go for udumper for now. Keep it as simple as possible. This reduces the possibilities for errors. We first want to light up an LED.

Quote

ok, attached

Seems ok, at least it works here (after some padding).

Quote

Damn SD cards: my poor fingernails ... I saw the upload stuff libptp2, want to use that!

Use a card reader (and maybe one which doesn't require breaking your fingers to insert/remove the card).

Cheers.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 07 / June / 2008, 16:35:24

so far not much progress.

The arm in the cam really runs in little endian, normal mode?!

if diskboot.bin is 0 size -> cam brick
if diskboot is any size, first byte 0x00 -> cam brick

if diskboot is any size, first byte != 0x00 -> cam "normal" (but usb plug powers off)

mh, we need some magic at beginning???

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: rlyon on 08 / June / 2008, 22:18:26

Quote from: chr on 07 / June / 2008, 09:05:52

here: IXUS960IS - CHDK Wiki (http://chdk.wikia.com/wiki/IXUS960IS)
I'm still wondering how he did it.

I don't believe this is the IXUS960IS. There is some confusion on IXUS model numbering. The IXUS960IS operates in a similar manner to the IXUS80IS. The same dumping techniques will be applicable.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 09 / June / 2008, 13:13:09

So, I looked into the ARM reference and into ixus860is_dump ... which might be close to sd1100 or not.
(only have arm-objdump ... stuff like IDA only exists in proptary windows world :P )

1. it looks for DISKBOOT.BIN and then Upgrader.bin. confirmed.

Code: [Select]

r0 -> *file (?!)
ff8650cc:   e5d02000    ldrb    r2, [r0]
ff8650d0:   e3520000    cmp r2, #0  ; 0x0
ff8650d4:   112fff1e    bxne    lr
ff8650d8:   e5902010    ldr r2, [r0, #16]
ff8650dc:   e59f303c    ldr r3, [pc, #60]   ; ff865120 <_binary_ixus860is_dump_start+0x55120>
-> "gaon"isoy

ff8650e0:   e1520003    cmp r2, r3
ff8650e4:   05902020    ldreq   r2, [r0, #32]
ff8650e8:   059f3034    ldreq   r3, [pc, #52]   ; ff865124 <_binary_ixus860is_dump_start+0x55124>
-> gaon"isoy"

ff8650ec:   01520003    cmpeq   r2, r3
ff8650f0:   012fff1e    bxeq    lr
...
don't understand the rest, yet.

2. it looks first byte if 0x00, and then checks "gaonisoy" ...

confirmed.
0x00 => brick
0x00 and "gaon" at #16 and "isoy" at #32 => no brick, (but still hates usb)

I googled for that string. Found "yosinoag", which is a litte japanese assurance company.

Code: [Select]

ff82bbd8:   e59d1000    ldr r1, [sp]
ff82bbdc:   e1a00004    mov r0, r4
ff82bbe0:   eb00e539    bl  ff8650cc <_binary_ixus860is_dump_start+0x550cc>
ff82bbe4:   e3a00101    mov r0, #1073741824 ; 0x40000000
ff82bbe8:   e5906000    ldr r6, [r0]
ff82bbec:   e59d5000    ldr r5, [sp]
ff82bbf0:   ebffbf31    bl  ff81b8bc <_binary_ixus860is_dump_start+0xb8bc> IRQ off?!
ff82bbf4:   e3a03c19    mov r3, #6400   ; 0x1900
ff82bbf8:   e1a02005    mov r2, r5
ff82bbfc:   e1a01004    mov r1, r4
ff82bc00:   e3a00c19    mov r0, #6400   ; 0x1900
ff82bc04:   e12fff36    blx r6
ff82bc08:   e8bd40f8    ldmia   sp!, {r3, r4, r5, r6, r7, lr}
ff82bc0c:   ea006226    b   ff8444ac <_binary_ixus860is_dump_start+0x344ac>

So, it gets the jump address from 0x40000000 ...

Questions:
Has canon implemented exception handling?
What happens on other cams, if there is a undefined instruction or a breakpoint (freeze/brick/reboot/poweroff)?
In which mode does the ARM cpu run (LE, User Mode, whatever)? Do we have a MMU?

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: user1 on 09 / June / 2008, 13:22:07

Quote from: chr on 09 / June / 2008, 13:13:09

.. stuff like IDA only exists in proptary windows world :P

Really? (http://www.hex-rays.com/idapro/linux/index.htm)

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 09 / June / 2008, 13:28:07

Quote from: user1 on 09 / June / 2008, 13:22:07

Quote from: chr on 09 / June / 2008, 13:13:09

.. stuff like IDA only exists in proptary windows world :P

Really? (http://www.hex-rays.com/idapro/linux/index.htm)

Code: [Select]

"The (Linux) IDA Pro debugger, disassembler and remote debuggers are not sold separately but are included in the normal IDA Pro Windows distribution."
There's no stuff like this in the GNU world ... usually we have the source ;)

The IDA demo version can't read raw, the free version can't do ARM. Both don't have linux stuff on board.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: TPC on 09 / June / 2008, 23:14:54

Hey chr,

Quote from: chr on 09 / June / 2008, 13:13:09

So, I looked into the ARM reference and into ixus860is_dump ... which might be close to sd1100 or not.
(only have arm-objdump ... stuff like IDA only exists in proptary windows world :P )

1. it looks for DISKBOOT.BIN and then Upgrader.bin. confirmed.

Code: [Select]

r0 -> *file (?!)
ff8650cc:   e5d02000    ldrb    r2, [r0]
ff8650d0:   e3520000    cmp r2, #0  ; 0x0
ff8650d4:   112fff1e    bxne    lr
ff8650d8:   e5902010    ldr r2, [r0, #16]
ff8650dc:   e59f303c    ldr r3, [pc, #60]   ; ff865120 <_binary_ixus860is_dump_start+0x55120>
-> "gaon"isoy

ff8650e0:   e1520003    cmp r2, r3
ff8650e4:   05902020    ldreq   r2, [r0, #32]
ff8650e8:   059f3034    ldreq   r3, [pc, #52]   ; ff865124 <_binary_ixus860is_dump_start+0x55124>
-> gaon"isoy"

ff8650ec:   01520003    cmpeq   r2, r3
ff8650f0:   012fff1e    bxeq    lr
...
don't understand the rest, yet.

2. it looks first byte if 0x00, and then checks "gaonisoy" ...

confirmed.
0x00 => brick
0x00 and "gaon" at #16 and "isoy" at #32 => no brick, (but still hates usb)

I googled for that string. Found "yosinoag", which is a litte japanese assurance company.

Code: [Select]

ff82bbd8:   e59d1000    ldr r1, [sp]
ff82bbdc:   e1a00004    mov r0, r4
ff82bbe0:   eb00e539    bl  ff8650cc <_binary_ixus860is_dump_start+0x550cc>
ff82bbe4:   e3a00101    mov r0, #1073741824 ; 0x40000000
ff82bbe8:   e5906000    ldr r6, [r0]
ff82bbec:   e59d5000    ldr r5, [sp]
ff82bbf0:   ebffbf31    bl  ff81b8bc <_binary_ixus860is_dump_start+0xb8bc> IRQ off?!
ff82bbf4:   e3a03c19    mov r3, #6400   ; 0x1900
ff82bbf8:   e1a02005    mov r2, r5
ff82bbfc:   e1a01004    mov r1, r4
ff82bc00:   e3a00c19    mov r0, #6400   ; 0x1900
ff82bc04:   e12fff36    blx r6
ff82bc08:   e8bd40f8    ldmia   sp!, {r3, r4, r5, r6, r7, lr}
ff82bc0c:   ea006226    b   ff8444ac <_binary_ixus860is_dump_start+0x344ac>

So, it gets the jump address from 0x40000000 ...

Questions:
Has canon implemented exception handling?
What happens on other cams, if there is a undefined instruction or a breakpoint (freeze/brick/reboot/poweroff)?
In which mode does the ARM cpu run (LE, User Mode, whatever)? Do we have a MMU?

I've run through the 860is dump in IDA and can confirm that what you've found is true.

I can also confirm that the A580 exhibits the same behavior with diskboot.bin - 0 at 0x00, "noag" at 0x16, and "yosi" at 0x32 = camera boots, but won't run code on the card. Yet.

Having 0 at 0x00 and anything else at any other address = no activity from camera.

Here's a question - what does a Japanese insurance company have to do executing code on Canon digital cameras? What is it about that particular string that opens Pandora's box? We may never know.

Again, I'm using an A580 to crack this code and not an IXUS80... I'll let you know if I find anything that might be useful to you.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: TPC on 11 / June / 2008, 00:44:48

Just a progress report...

This is from the IXUS80IS firmware.

Quote

ROM:FF8650CC LoadBootFile                            ; CODE XREF: StartDiskboot+9Cp
ROM:FF8650CC                                         ; sub_FF8F9CB0+88p ...
ROM:FF8650CC                 LDRB    R2, [R0] // Load the first byte of the DISKBOOT.bin file to R2
ROM:FF8650D0                 CMP     R2, #0 // Compare R2 to "0"
ROM:FF8650D4                 BXNE    LR // If not equal, branch to LR (break out, go somewhere else)
ROM:FF8650D8                 LDR     R2, [R0,#0x10] // Read DISKBOOT.bin file at 0x10 (16)
ROM:FF8650DC                 LDR     R3, =0x6E6F6167 // Set R3 to "noag"
ROM:FF8650E0                 CMP     R2, R3 // Compare R2 and R3
ROM:FF8650E4                 LDREQ   R2, [R0,#0x20] // If equal, read DISKBOOT.bin file at 0x20 (32)
ROM:FF8650E8                 LDREQ   R3, =0x796F7369 // If equal, set R3 to "yosi"
ROM:FF8650EC                 CMPEQ   R2, R3 // If equal, compare R2 and R3
ROM:FF8650F0                 BXEQ    LR // WTF!? If equal, branch to LR (break)
ROM:FF8650F4                 SUB     R2, R1, #1 // Else, do this stuff...
ROM:FF8650F8                 MOV     R1, #0
ROM:FF8650FC
ROM:FF8650FC loc_FF8650FC                            ; CODE XREF: LoadBootFile+44j
ROM:FF8650FC                 CMP     R1, R2
ROM:FF865100                 ADDCC   R3, R0, R1
ROM:FF865104                 LDRCCB  R3, [R3,#1]
ROM:FF865108                 STRCCB  R3, [R0,R1]
ROM:FF86510C                 ADDCC   R1, R1, #1
ROM:FF865110                 BCC     loc_FF8650FC // Loop (loading DISKBOOT.bin to RAM?)
ROM:FF865114                 MOV     R1, R0
ROM:FF865118                 B       sub_FF865008 // Branch unconditionally to sub_FF865008
ROM:FF865118 ; End of function LoadBootFile

My interpretation of this is that having "noag" and "yosi" in the right spots on the card causes the camera to boot as normal. I don't have a reasonable explanation for this at all. It seems that all we need is "0" at 0x00 and "noag" at 0x10 and theorectically the camera will try to load whatever is in the DISKBOOT.bin file. I need to study this assembly code for a bit longer.

That's it for now.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: pricead on 11 / June / 2008, 01:00:58

I just want to say I appreciate the work you guys are doing!
/me stares at his SD1100 and wishes for chdk soon

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: r8dhex on 11 / June / 2008, 05:55:30

Quote from: pricead on 11 / June / 2008, 01:00:58

I just want to say I appreciate the work you guys are doing!
/me stares at his SD1100 and wishes for chdk soon

Same here...

I'm haven't been able to touch our SD1100 lately, since my wife's been using it...

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 11 / June / 2008, 14:27:26

Hi TPC!

"BXEQ    LR" is a conditional "ret". the LR register holds the return address.

the "noag" and "yosi" must be a special sense of humor: I expected it's a positive magic. Who knows, maybe that company have a funny TV spot?

The rest reads like this:

Code: [Select]

r1 = len ?
ff8650f4: e2412001 sub r2, r1, #1 ; 0x1 // r2 = r1 - 1
ff8650f8: e3a01000 mov r1, #0 ; 0x0     // r1 = 0
// r0=*file; r1=0; r2=len-1                   //
ff8650fc: e1510002 cmp r1, r2            // for (r1=0; r1<r2 ;r1++)  {
ff865100: 30803001 addcc r3, r0, r1    //   r3 = r0 + r1
ff865104: 35d33001 ldrccb r3, [r3, #1]  //   r3 = (char)*(r3 + 1)
ff865108: 37c03001 strccb r3, [r0, r1]  //   *(char)(r0 + r1) = r3
ff86510c: 32811001 addcc r1, r1, #1    //   r1++;
ff865110: 3afffff9 bcc ff8650fc          // }
So, it shifts the file one byte down in memory. Makes sense. I tried the led blinker with putting one, 63, 64, 65 0x00 in front: brick, no led. (0x00000000 = "andeq r0, r0, r0" is (almost) a NOP ?!)

I followed the rest an I saw, 40 bytes are allocated on stack. it puts stuff from #ff86511c in it, then it reads from the first bytes from diskboot.bin. So I guess we have a file header of 40+1 bytes.

Any known binary formats with a header size like this?!

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: TPC on 11 / June / 2008, 20:40:05

Quote from: chr on 11 / June / 2008, 14:27:26

Hi TPC!

"BXEQ    LR" is a conditional "ret". the LR register holds the return address.

the "noag" and "yosi" must be a special sense of humor: I expected it's a positive magic. Who knows, maybe that company have a funny TV spot?

The rest reads like this:

Code: [Select]

r1 = len ?
ff8650f4: e2412001 sub r2, r1, #1 ; 0x1 // r2 = r1 - 1
ff8650f8: e3a01000 mov r1, #0 ; 0x0     // r1 = 0
// r0=*file; r1=0; r2=len-1                   //
ff8650fc: e1510002 cmp r1, r2            // for (r1=0; r1<r2 ;r1++)  {
ff865100: 30803001 addcc r3, r0, r1    //   r3 = r0 + r1
ff865104: 35d33001 ldrccb r3, [r3, #1]  //   r3 = (char)*(r3 + 1)
ff865108: 37c03001 strccb r3, [r0, r1]  //   *(char)(r0 + r1) = r3
ff86510c: 32811001 addcc r1, r1, #1    //   r1++;
ff865110: 3afffff9 bcc ff8650fc          // }
So, it shifts the file one byte down in memory. Makes sense. I tried the led blinker with putting one, 63, 64, 65 0x00 in front: brick, no led. (0x00000000 = "andeq r0, r0, r0" is (almost) a NOP ?!)

I followed the rest an I saw, 40 bytes are allocated on stack. it puts stuff from #ff86511c in it, then it reads from the first bytes from diskboot.bin. So I guess we have a file header of 40+1 bytes.

Any known binary formats with a header size like this?!

All Japanese TV is funny. I'm guessing it's the name of some guy's kid.

After looking over the code again I see that only having a 0 at 0x00 is needed to "catch" the camera's boot process. Testing for the other two strings doesn't seem to do anything useful, unless someone wanted to write a kickin' rad DISKBOOT.bin hack that makes their camera boot normally. ???

A 40 byte header, hmm... I'm going to go play with this.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 12 / June / 2008, 21:24:41

I think, we are wrong.
I looked further at the stuff in LoadBootFile ... it looks like a decryption  >:(

Also, in the 860 dump, I can't find the string 'Card locked' nor '*.fi2'

However, the file is loaded, thats for sure. I tried a 16M discboot.bin. There's a noticable delay on power up.
Mh, if the jump to *0x40000000 is the same in ix80 firmware ... and first byte != 0x00 the file is left untouched in memory. We need a 1G diskboot.bin to write at 0x40000000 maybe this overflow works. My largest SD card is a "1G" so can't try this now. Any FAT filesystem hackers here to fake such a file? ::)

The usb issue is maybe just a bug?
It doesn't freeze the cam, it really shuts down. The lens retracks before power off.
A present sd-bootdisk disables the irq's as a side effect. Pluggin the usb emits one I guess.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: faljse on 13 / June / 2008, 07:31:38

Quote from: chr on 12 / June / 2008, 21:24:41

However, the file is loaded, thats for sure. I tried a 16M discboot.bin. There's a noticable delay on power up.
Mh, if the jump to *0x40000000 is the same in ix80 firmware ... and first byte != 0x00 the file is left untouched in memory. We need a 1G diskboot.bin to write at 0x40000000 maybe this overflow works. My largest SD card is a "1G" so can't try this now. Any FAT filesystem hackers here to fake such a file? ::)

I got a a590 which seems to work very similar to the ixus80.
Using a 16mb discboot delays power up.
Discboot.bin larger than about 17,5MB shut the camera down(usb disconnected).

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 13 / June / 2008, 10:15:54

Quote from: faljse on 13 / June / 2008, 07:31:38

I got a a590 which seems to work very similar to the ixus80.
Using a 16mb discboot delays power up.
Discboot.bin larger than about 17,5MB shut the camera down(usb disconnected).

Interesting! The cam really crashes but doesn't brick:

On my ixus82is/1100is:
insert sd-boot diskboot.bin >~17.5, first byte !=0x00
switch to rec mode
power on
now switch to play: crash: upper led lit up green, then lcd+led dark, lens doesn't retrack
cam not bricked, can power on again.

I also tried a big diskboot file with led-blinker code inside: nothing.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 13 / June / 2008, 11:43:49

exact crash size is

0x010d.a300 + 1

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: ranti on 15 / June / 2008, 10:00:17

- deleted -

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: ranti on 15 / June / 2008, 10:01:52

I do appreciate the work you guys are doing!!!

I'm a newbie to this kind of stuff but I do have some programming and electronics experience.
So if there's anything I can help with...

Oh, btw:
IXUS 80 IS
P-ID: 3184 PAL D
GM1.01A
Jan 24, 2008

Adj Ver.012.005
IS Firm Ver. 3.00
IS Param Ver. 3.00

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 15 / June / 2008, 10:57:31

Bad news.

Yesterday my cam got a E18 "Lens error, restart camera" without any reason! :blink:

I did not drop the cam nor did I play with DISKBOOT. It simply refused to work. Looking closly I noticed, the Lens is not correct mounted: The outer "Gummidichtung" (english?!) is not well fitting and maybe caused the blocking.

Today it operates as nothing happened, but vers.req show an "E18" with timestamp in the log.

So tomorrow I'm going to return the cam.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: faljse on 15 / June / 2008, 14:40:24

Quote from: chr on 13 / June / 2008, 11:43:49

exact crash size is

0x010d.a300 + 1

When using a diskboot.bin larger than 30.953.664 Bytes the cam(a590) doesnt even power up

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 20 / June / 2008, 22:04:01

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: TPC on 21 / June / 2008, 01:07:34

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 21 / June / 2008, 15:42:02

Quote from: TPC on 21 / June / 2008, 01:07:34

First: omg you got the camera firmware to run in qemu? That is front page material, sir.

Tx for the flowers  8)

I'm going to post details on using qemu-arm in an extra thread for ppl not having IDA. Still sorting stuff and copy'n'pasting stuff from bash_history.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: ccmcgeek on 22 / June / 2008, 01:05:36

That is great news chr!

I've just returned from vacation (that's "holiday" to my friends across the pond  ;)) with my new SD890 (IXUS 970), and though I had a wonderful time, I hope before my next trip I can have CHDK running on it  :)

To that end:  once you have a chance to write up how you got the LED-blinker to load, I'll give it a go on my ixus 970 as well.

I've tried the documented dumping methods briefly before leaving on my trip, but ran out of time when the camera wasn't reacting to diskboot.bin the way I had hoped...

Keep us up to date, thanks

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: rlyon on 23 / June / 2008, 05:38:18

Quote from: chr on 21 / June / 2008, 15:42:02

I'm going to post details on using qemu-arm in an extra thread for ppl not having IDA. Still sorting stuff and copy'n'pasting stuff from bash_history.

This progress is good. I guess you guys have well and truely answered my original post. The idea of using an alternative to IDA is worthwhile as it eliminates the need obtain a non-free/or other version of IDA.
Cheers ...

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: PhyrePhoX on 23 / June / 2008, 06:40:18

indeed, this would be great.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: jeff666 on 23 / June / 2008, 13:14:06

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 23 / June / 2008, 17:28:26

Hi folks!

Good and bad news.

The bad: I'm very short of time this week, so be patient ;)

The good: today I've been in my local Computer store. I talked to the Chief about Canon Cams. He grinned and said, we will never sell those to our customers again ... then he showed me his collection of bricked Canon Cams.

I got now an ixus i7 with Lens error for free (and another battery ;) ) I used some violence to resurrect it. Here we go: http://chdk.wikia.com/wiki/SD40 (http://chdk.wikia.com/wiki/SD40)
I hope, this will help me to understand, how the udumper works. It obviously doesn't work with the SD1100.

@jeff666: ok. I'll try that but first I need to get a Phototransostor somewhere.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 01 / July / 2008, 17:59:32

Just a short update. I found LED_AF  @ 0xc0223030

blinker is running but need better adjustment. The recording looks odd.

Stay tuned ;)

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: pricead on 01 / July / 2008, 18:02:20

Quote from: chr on 01 / July / 2008, 17:59:32

Just a short update. I found LED_AF  @ 0xc0223030

blinker is running but need better adjustment. The recording looks odd.

Stay tuned ;)

yay!

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 01 / July / 2008, 18:08:23

ok, and here is a crypted diskboot.bin with blinker inside.

Just in case anyone else want to give it a try.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: faljse on 02 / July / 2008, 12:59:03

Quote from: chr on 01 / July / 2008, 18:08:23

ok, and here is a crypted diskboot.bin with blinker inside.

Just in case anyone else want to give it a try.

How does the encryption work?
Would be great if you could paste some code.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: jeff666 on 04 / July / 2008, 05:39:05

Quote from: faljse on 02 / July / 2008, 12:59:03

How does the encryption work?
Would be great if you could paste some code.

I agree. A description or code would be great.

Have you tried to encode the udumper and dump the firmware using that?

Cheers

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: side78 on 05 / July / 2008, 10:34:04

Very interested in seeing this too... trying to dump the SD790IS, and seems to have similar problems to what you're trying to solve...

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: ccmcgeek on 05 / July / 2008, 11:50:59

Great work!

I confirm the encrypted blinker works on my SD890IS (IXUS 970), and the AF LED must be at the same address, because it turns on immediately and is blinking.  I will build the receiver circuit soon and attempt a dump.

If you have time to very briefly describe what encryption was required, that would be great.  As jeff666 says, it would be great to try encrypting the udumper program in the same fashion, to see if we can avoid having to set up the full blinker toolchain.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 05 / July / 2008, 17:14:01

Hello ppl!

I'm going to document everything! Be patient. I'm actually not at $HOME but I am currently in a hack lab. Had some trouble to setup a working PC from junk.

Sure, I tried a udumper in the cam, no success.

I need GrAnd's advice:
I'm using the A610 - SLOW (2500) [96KHz] timing. The FAST timing doesn't give me a good amplitude.
There is a noticeably gap every 5 seconds. I can see it with my eyes while dumping.
Smells like if irqs are not dead?

Heres a dump 8bit raw:
dump.raw.bz2 (http://www.zshare.net/download/14765844beb39ad6/)

Code: [Select]

I used
./adc2 -d 60 207   1 70   6 23 ~/ixdump2/dump.raw dump
60 140 9 80 1 17
... (more or less sync err)

./dec.o
read 6740 bytes...
found SIG at    3302... Base: 7f800000 CRC...a8a9...FAIL
found SIG at    4333... Base: 7f800400 CRC...c49f...FAIL
found SIG at    5364... Base: 7f800800 CRC...9449...FAIL
found SIG at    6396... Base: ff7f8000 CRC...1188...FAIL



first hexdump looks like this

00000408   37 38 39 0D  0A 30 31 32  33 34 35 36  37 38 39 0D  0A 30 31 32  33 34 35 36  789..0123456789..0123456
00000420   37 38 39 0D  0A 30 31 32  33 34 35 36  37 38 39 0D  0A 30 31 32  33 34 35 36  789..0123456789..0123456
00000438   37 38 39 0D  0A 30 31 32  33 34 35 36  37 38 39 0D  0A 30 31 32  33 34 35 36  789..0123456789..0123456
00000450   37 38 39 0D  0A 30 31 32  33 34 35 36  37 38 39 0D  0A 30 31 32  33 34 35 36  789..0123456789..0123456
00000468   37 38 39 0D  0A 30 31 32  33 34 35 36  37 38 39 0D  0A 30 31 32  33 34 35 36  789..0123456789..0123456
00000480   37 38 39 0D  0A 30 31 32  33 34 35 36  37 38 39 0D  0A 30 31 32  37 38 39 0D  789..0123456789..012789.
00000498   0A 30 31 32  33 34 35 36  37 38 39 0D  0A 30 31 32  33 34 35 36  37 38 39 0D  .0123456789..0123456789.
000004B0   0A 30 31 32  33 34 35 36  37 38 39 0D  0A 30 31 32  33 34 35 36  37 38 39 0D  .0123456789..0123456789.
000004C8   0A 30 31 32  33 34 35 36  37 38 39 0D  0A 30 31 32  33 34 35 36  37 38 39 0D  .0123456789..0123456789.
000004E0   38 39 0D 0A  30 31 32 33  34 35 36 37  38 39 0D 0A  30 31 32 33  34 35 36 37  89..0123456789..01234567
000004F8   38 39 0D 0A  30 31 32 33  34 35 36 37  38 39 0D 0A  30 31 32 33  34 35 36 37  89..0123456789..01234567
00000510   38 39 0D 0A  30 31 32 33  34 35 36 37  38 39 0D 0A  30 31 32 33  34 35 36 37  89..0123456789..01234567
00000528   38 39 0D 0A  30 31 32 33  34 35 36 37  38 39 0D 0A  30 31 32 33  34 35 36 37  89..0123456789..01234567
00000540   38 39 0D 0A  30 31 32 33  34 35 36 37  38 39 0D 0A  30 31 32 33  34 35 36 37  89..0123456789..01234567


Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 05 / July / 2008, 17:59:55

LED - Dumper images, encoded.

Use as diskboot.bin on a sd-bootable sd card

blinker1.cr.bin - 0.10MB (http://www.zshare.net/download/1476716866efc58f/)
blinker2.cr.bin - 0.10MB (http://www.zshare.net/download/147672255c4f9687/)

(actually I'm not sure who is who  ::) )

A610 - FAST (9230) [96KHz]
A610 - SLOW (2500) [96KHz]
(from speeds.txt)

AF LED should light and start 0123456789\a\d dump, rom at 0xff800000


led_on_off.bin.cr.5 - 0.10MB (http://www.zshare.net/download/14773661e12018b6/)
switch led on and off - loop. Also try to hold down the powerbutton ~10sec.

Code: [Select]

#define led_start 0xc0220000
#define led_end   0xc022f000
//AF  0xc0223030
#define delay 0x1000

void sleep(int d) {
    for ( ; d>0; d--) {
        asm("nop");
        asm("nop");
    }
}

int main(){
    while (1) {
        long* led;

        led=(long*)led_start;
        while (led < led_end) {
            *led = 0x46;
            led++;
            sleep(delay);
        }
sleep(0x100000);
        led=(long*)led_end;
        while (led > led_start) {
            *led = 0x44;
            led--;
            sleep(delay);
        }

sleep(0x100000);
    }
    return 0;
}



Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: dlw on 05 / July / 2008, 18:48:58

(quote) "My interpretation of this is that having "noag" and "yosi" in the right spots on the card causes the camera to boot as normal." (close quote)

I think you're right.  I have the same code in LoadBootFile in my G9 firmware.  You may have not yet seen the beginning of the firmware:  it's a branch around the constant, "gaonisoy".  This could well be a validity test.
 
I haven't been able to boot CHDK on my G9, so I'm grasping at straws.

Thanks for your work.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: side78 on 06 / July / 2008, 00:52:56

Quote from: chr on 05 / July / 2008, 17:59:55

LED - Dumper images, encoded.

Very nice work, it appears to be working. I'm off to buy a photo resister :)

Any thoughts on extending this to dump to SD?

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 13 / July / 2008, 12:06:34

Here we go:

[DOWNLOAD LINKS] Firmware dumps available (http://chdk.setepontos.com/index.php/topic,288.msg17485.html#msg17485)

100%, no crc errors!

8) 8) 8)

Found the gap problem: comes from delay while calculating crc for one block. This made my capture circuit crazy.
I put on/off around crc call, shifted it before sending anything.
Also I added sending four 0x00 before each SIG, so my homebrewn circuit can proper swing up at each block.

Also started some documentation in the wiki:

GPL Tools - CHDK Wiki (http://chdk.wikia.com/wiki/GPL_Tools)

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: jeff666 on 13 / July / 2008, 13:44:25

Quote from: chr on 13 / July / 2008, 12:06:34

Firmware dumps available

Loads into IDA, DryOS-Signatures apply. Good work.

I had a quick look into the Diskboot-loader (LoadDiskbootFile). In your cam its return-value is checked and a new error message ("not executable") is written to stdout on failure. If the return-value of LoadDiskbootFile doesn't indicate an error, the same code as in existing cameras is executed. Also the load-function itself looks nearly identical, thus the decoding mechanism should have been needed before, but existing firmwares just didn't check for successful decoding.

It seems we have been exploiting a bug in the firmware to boot CHDK, until now.

Addresses: 
  StartDiskboot: 0xFF82A0B0
  LoadDiskbootFile: 0xFF8666BC

Cheers.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 13 / July / 2008, 14:02:55

Quote from: jeff666 on 13 / July / 2008, 13:44:25

Quote from: chr on 13 / July / 2008, 12:06:34

Firmware dumps available

Loads into IDA, DryOS-Signatures apply. Good work.
Cheers.

kewl!

Can we exchange symbol files? I'm thinking about hacking gdb to make it reading at least a plain ascii symbol file:

Gpl Qemu - CHDK Wiki (http://chdk.wikia.com/wiki/Gpl_Qemu)

or ... can IDA save it in elf format w/symbols?

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: jeff666 on 13 / July / 2008, 14:28:11

Quote from: chr on 13 / July / 2008, 14:02:55

Can we exchange symbol files? I'm thinking about hacking gdb to make it reading at least a plain ascii symbol file:

Well, IDA has a function called "export map file". Have a look:
zSHARE - ixus1100.0xff81000-0xffb1ffff_led.map.bz2 (http://www.zshare.net/download/15248236726bacae/)

Quote

or ... can IDA save it in elf format w/symbols?

Negative.

Running the firmware in qemu seems like a lot of work but might be very useful.
Is it simple enough to rebuild the canon-hardware in qemu?
How do you handle unknown MMIO access?
Can you access the memory from outside qemu so it's possible to rebuild a GUI (display + LED output, kbd input)?

Cheers.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 13 / July / 2008, 14:46:43

Quote from: jeff666 on 13 / July / 2008, 14:28:11

Well, IDA has a function called "export map file". Have a look:
zSHARE - ixus1100.0xff81000-0xffb1ffff_led.map.bz2 (http://www.zshare.net/download/15248236726bacae/)

Wrong offset. Mh, let's see if my renumber.pl works

Quote

Running the firmware in qemu seems like a lot of work but might be very useful.
Is it simple enough to rebuild the canon-hardware in qemu?
How do you handle unknown MMIO access?
Can you access the memory from outside qemu so it's possible to rebuild a GUI (display + LED output, kbd input)?

Cheers.

I posted the patch here:
Emulating Digicam with QEMU (http://chdk.setepontos.com/index.php/topic,1918.msg17500.html#msg17500)

in qemu's hw/ directory u find a lot of complete hardware setup from a full x86 IBM PC to simple ARM evaluation boards.
I just took an ARM, some RAM and a loader for the ROM. For I/O there are callbacks. So far I only printf but I found something like stdout. There's a SD cardreader implementation but someone must look with chdk into the cam to find out which chipset the cams use.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: jeff666 on 13 / July / 2008, 16:05:54

Quote from: chr on 13 / July / 2008, 14:46:43

Wrong offset. Mh, let's see if my renumber.pl works

A simple string-replace should be sufficient.


I looked for two functions in your firmware:
  WriteSDCard: 0xFF91F0C8
  ReadSDCard: 0xFF91EF70

WriteSDCard is used by udumper to write the firmware to the SD. I wrote some notes on how to use it. See this (http://chdk.setepontos.com/index.php/topic,1132.msg17178.html#msg17178) and the following posts.

Cheers.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 13 / July / 2008, 16:41:50

Quote from: jeff666 on 13 / July / 2008, 16:05:54

I looked for two functions in your firmware:
  WriteSDCard: 0xFF91F0C8
  ReadSDCard: 0xFF91EF70

WriteSDCard is used by udumper to write the firmware to the SD. I wrote some notes on how to use it. See this (http://chdk.setepontos.com/index.php/topic,1132.msg17178.html#msg17178) and the following posts.

Cheers.

kewl. I'm going to build an udumper. Might work in other latest cams too.

Wait: these symbols were not in the file ???  !

And finally here's the diskboot.bin porno: Emulating Digicam with QEMU (http://chdk.setepontos.com/index.php/topic,1918.msg17501.html#msg17501)

Question: can IDA "run" the code like that?

Mh, we close this thread and open "porting SD1100"  ::)

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: jeff666 on 13 / July / 2008, 19:27:44

Quote from: chr on 13 / July / 2008, 16:41:50

kewl. I'm going to build an udumper. Might work in other latest cams too.
Wait: these symbols were not in the file ???  !

Those functions aren't part of the signature-file, thus they weren't in the file I posted earlier. I found the functions because I know how they are referred.

Also note that the addresses only work for your firmware. Function locations differ in every firmware-build. The udumper locates WriteSDCard due to some hints and guesswork - it doesn't always succeed, though. See this (http://chdk.setepontos.com/index.php/topic,221.msg2726.html#msg2726) and the subsequent posts for details.

Quote

Question: can IDA "run" the code like that?

No, it's just a disassembler, not a debugger (at least the ARM-part).

Quote

Mh, we close this thread and open "porting SD1100"  ::)

Go on. Read the G9-porting-thread (http://chdk.setepontos.com/index.php/topic,1132.0.html) if you haven't, yet.

Cheers.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: mx3 on 14 / July / 2008, 00:42:39

Quote from: chr on 13 / July / 2008, 12:06:34

SD1100IS/IXUS80IS dump (http://chdk.setepontos.com/index.php/topic,288.msg17485.html#msg17485)

it is great.
please share diskboot.bin project sources and crypter sources so other people could do the same with theirs similar camera models.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 14 / July / 2008, 14:27:04

Quote from: mx3 on 14 / July / 2008, 00:42:39

it is great.
please share diskboot.bin project sources and crypter sources so other people could do the same with theirs similar camera models.

Mh, I documented everything ... is something missing?
Also I don't like to talk about encryption. I know nothing about that. It may be illegal to look at. What I found so far is hardly encryption, isn't it? U read my post about decoding? Emulating Digicam with QEMU (http://chdk.setepontos.com/index.php/topic,1918.msg17501.html#msg17501)

Quote from: jeff666 on 13 / July / 2008, 19:27:44

Also note that the addresses only work for your firmware. Function locations differ in every firmware-build. The udumper locates WriteSDCard due to some hints and guesswork - it doesn't always succeed, though. See this (http://chdk.setepontos.com/index.php/topic,221.msg2726.html#msg2726) and the subsequent posts for details.

Argh! U Bastard! Why didn't u post this earlier???

Ok, quick try. udumper with fixed SDWrite adress works! And the md5sum of the dump ... *drumroll* the same as the led dump.

But udumper with searching for the address did not work. However, running in gdb it's Bingo:

Code: [Select]


WriteSDCard: 0xff91f0c8
ReadSDCard:  0xff91ef70

ff84e81c:   e3a01000    mov r1, #0  ; 0x0
ff84e820:   e59f00b4    ldr r0, [pc, #180]  ; ff84e8dc <_binary_dump_bin_start+0x3e8dc>
ff84e824:   e5801034    str r1, [r0, #52]
ff84e828:   e5801038    str r1, [r0, #56]
ff84e82c:   e3a01003    mov r1, #3  ; 0x3
ff84e830:   e580103c    str r1, [r0, #60]
ff84e834:   e59f10c0    ldr r1, [pc, #192]  ; ff84e8fc <_binary_dump_bin_start+0x3e8fc>
ff84e838:   e580104c    str r1, [r0, #76]
ff84e83c:   e59f10bc    ldr r1, [pc, #188]  ; ff84e900 <_binary_dump_bin_start+0x3e900>
ff84e840:   e5801050    str r1, [r0, #80]
ff84e844:   e12fff1e    bx  lr

(gdb) j *0xff84e81c
Continuing at 0xff84e81c.

Breakpoint 3, 0xff84e844 in _binary_dump_bin_start ()
(gdb) x/32x $r0
0x11544:        0x00000000      0x00000000      0x00000000      0x00000000
0x11554:        0x00000000      0x00000000      0x00000000      0x00000000
0x11564:        0x00000000      0x00000000      0x00000000      0x00000000
0x11574:        0x00000000      0x00000000      0x00000000      0x00000003
0x11584:        0x00000000      0x00000000      0x00000000      0xff91ef70
0x11594:        0xff91f0c8      0x00000000      0x00000000      0x00000000
0x115a4:        0x00000000      0x00000000      0x00000000      0x00000000
0x115b4:        0x00000000      0x00000000      0x00000000      0x00000000


in qemu the udumper works. I guess, the image is too large! I'll check


Question:

#if defined (DRYOS)
// #warning DRYOS
// jeff666: fill some memory with zeroes; "simulate" large diskboot
// WARNING: the starting address is a guess

for (i = 0x1c00; i<0x30000; i+=4)  *(int*)i=0;

???

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: jeff666 on 14 / July / 2008, 15:47:24

Quote from: chr on 14 / July / 2008, 14:27:04

Argh! U Bastard! Why didn't u post this earlier???

Because it would have been to easy and no challenge at all :D

Quote

Question:

#if defined (DRYOS)
// #warning DRYOS
// jeff666: fill some memory with zeroes; "simulate" large diskboot
// WARNING: the starting address is a guess

for (i = 0x1c00; i<0x30000; i+=4)  *(int*)i=0;

???

Hmm... it's been a while. I think it's like that:
* Originally our diskboot-files were zero-padded to 100k.
* Some memory after 0x1900 needs to be zeroed out for WriteSDCard to work.
* Around this area are pointers to WriteSDCard and ReadSDCard which were overwritten by our large diskboot-file. WriteSDCard does work with hard-coded pointers, though.
* We reduce diskboot-size, thus locate the pointers but WriteSDCard stops working.
* To compensate we blank out memory after we found the pointer to WriteSDCard.

Cheers.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 14 / July / 2008, 17:05:45

Quote from: jeff666 on 14 / July / 2008, 15:47:24

Quote from: chr on 14 / July / 2008, 14:27:04

Argh! U Bastard! Why didn't u post this earlier???

Because it would have been to easy and no challenge at all :D

Too easy. Meanwhile I played with the older SD40 - CHDK Wiki (http://chdk.wikia.com/wiki/SD40) it boots well the stuff I compile:
[DOWNLOAD LINKS] Firmware dumps available (http://chdk.setepontos.com/index.php/topic,288.msg17580.html#msg17580)

But the SD1100 is still a beast. Wants about 4k padding but sometimes refuses to do anything ... 100K was simply too much !!!!!  >:(

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: arvacon on 18 / July / 2008, 02:35:41

Hi.I have an Ixus 85is (sd 770). Is there any hope to build a CHDK version for this camera?
Will it be possible to run the same version for what you are making now for the Ixus 80 (sd1100) in my camera?
Please guys,keep trying,don't stop now!

Ps: My firmware version is GM 1.00a
 

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: baccoba on 18 / July / 2008, 03:48:42

hi I am an Italian boy and I have just bought an IXUS80, I hope to succeed in installing soon your CHDK. When you think can you/he/she be ready?
thanks and good job!

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: arvacon on 18 / July / 2008, 07:47:45

Quote from: chr on 15 / June / 2008, 10:57:31

Bad news.

Yesterday my cam got a E18 "Lens error, restart camera" without any reason! :blink:

I did not drop the cam nor did I play with DISKBOOT. It simply refused to work. Looking closly I noticed, the Lens is not correct mounted: The outer "Gummidichtung" (english?!) is not well fitting and maybe caused the blocking.

Today it operates as nothing happened, but vers.req show an "E18" with timestamp in the log.

So tomorrow I'm going to return the cam.

Can CHDK hurt the camera like this problem?

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: MrSpoon on 21 / July / 2008, 13:26:47

Hi, so I have the A470 and tried the encoded blinker diskboots and it gets the LCD blinking...
The led_on_off.bin.cr.5 does get the AF LED on...

I could probably work out writing a blinker and getting the LED address, but the encoding stage sounds a little beyond me... :(

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: chr on 21 / July / 2008, 14:26:21

Quote from: MrSpoon on 21 / July / 2008, 13:26:47

Hi, so I have the A470 and tried the encoded blinker diskboots and it gets the LCD blinking...
The led_on_off.bin.cr.5 does get the AF LED on...

Thats a good start. With that u can already calculate the led adress

Quote

I could probably work out writing a blinker and getting the LED address, but the encoding stage sounds a little beyond me... :(

I started working on an udumper, but still it refuses to do the work.

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: Yoshiofthewire on 22 / July / 2008, 05:50:38

I wanted to thank you for your hard work and ask if there is anyway I can help.  I have a SD1100IS (Brown).

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: MrSpoon on 24 / July / 2008, 14:31:26

Hey, I have qemu running and am able to decode and re-encode your earlier examples, so I have that working at least oO

When I try to encode my own diskboot.bin files though they just 'brick' the camera =/ I've never done any chdk compiling before so I get the feeling Im just doing something silly...would you mind giving a brief runthrough to see what I've missed?

I've tried making grand's blinker code and even with your earlier led code as well...

many thanks!

EDIT: Nevermind! I got the blinker working(ish), made a new thread (http://chdk.setepontos.com/index.php/topic,2034.0.html) for my problems after that though hehe

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: Phoool on 30 / July / 2008, 01:52:14

so i'm just wondering if we are actually any closer to getting CHDK on ixus80is? i cant really understand all this talk of LED blinkers and whatnot ( :-[my bad - just not that technically minded) and was just wondering what all this means for the average pleb who just bought a shiny new ixus80is?

i got addicted to CHDK with my ixus70 which i lost recently :( hence the ixus80is...

thanks for all the hard work from everyone who understands what they are doing here...

hope we get CHDK on ixus80is soon :)

i'll just sit here patiently till then...

Title: Re: Problems dumping the SD1100IS/IXUS80IS
Post by: pricead on 30 / July / 2008, 16:42:03

Quote from: Phoool on 30 / July / 2008, 01:52:14

so i'm just wondering if we are actually any closer to getting CHDK on ixus80is? i cant really understand all this talk of LED blinkers and whatnot ( :-[my bad - just not that technically minded) and was just wondering what all this means for the average pleb who just bought a shiny new ixus80is?

i got addicted to CHDK with my ixus70 which i lost recently :( hence the ixus80is...

thanks for all the hard work from everyone who understands what they are doing here...

hope we get CHDK on ixus80is soon :)

i'll just sit here patiently till then...

Seems like someone was successful in dumping the firmware, which is the first step to getting CHDK to work on our camera. I too anxiously await the SD1100IS/IXUS80 CHDK!